2020-10-17 20:46:46 +00:00
|
|
|
id: waf-detect
|
2020-09-27 20:13:29 +00:00
|
|
|
|
|
|
|
info:
|
2020-10-17 20:46:46 +00:00
|
|
|
name: WAF Detection
|
2021-06-09 12:20:56 +00:00
|
|
|
author: dwisiswant0,lu4nx
|
2020-09-27 20:13:29 +00:00
|
|
|
severity: info
|
2022-03-22 03:48:47 +00:00
|
|
|
description: A web application firewall was detected.
|
2022-04-22 10:38:41 +00:00
|
|
|
reference:
|
|
|
|
- https://github.com/Ekultek/WhatWaf
|
2022-03-22 03:48:47 +00:00
|
|
|
classification:
|
|
|
|
cwe-id: CWE-200
|
2022-04-22 10:38:41 +00:00
|
|
|
tags: waf,tech,misc
|
2023-04-28 08:11:21 +00:00
|
|
|
metadata:
|
|
|
|
max-request: 1
|
2020-09-27 20:13:29 +00:00
|
|
|
|
2023-04-27 04:28:59 +00:00
|
|
|
http:
|
2020-09-27 20:13:29 +00:00
|
|
|
- raw:
|
2020-09-27 20:16:10 +00:00
|
|
|
- |
|
2021-08-19 14:44:46 +00:00
|
|
|
POST / HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
2020-09-27 20:13:29 +00:00
|
|
|
|
2021-08-19 14:44:46 +00:00
|
|
|
_=<script>alert(1)</script>
|
2020-09-28 19:44:06 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
matchers:
|
|
|
|
- type: regex
|
|
|
|
name: instart
|
|
|
|
regex:
|
|
|
|
- '(?i)instartrequestid'
|
2021-05-28 05:15:16 +00:00
|
|
|
part: body
|
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: perimx
|
|
|
|
regex:
|
|
|
|
- '(?i)access.to.this.page.has.been.denied.because.we.believe.you.are.using.automation.tool'
|
|
|
|
- '(?i)http(s)?://(www.)?perimeterx.\w+.whywasiblocked'
|
|
|
|
- '(?i)perimeterx'
|
|
|
|
- '(?i)(..)?client.perimeterx.*/[a-zA-Z]{8,15}/*.*.js'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:15:16 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: webknight
|
|
|
|
regex:
|
|
|
|
- '(?i)\bwebknight'
|
|
|
|
- '(?i)webknight'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:15:16 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: zscaler
|
|
|
|
regex:
|
|
|
|
- '(?i)zscaler(.\d+(.\d+)?)?'
|
|
|
|
- '(?i)zscaler'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:15:16 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: fortigate
|
|
|
|
regex:
|
|
|
|
- '(?i).>powered.by.fortinet<.'
|
|
|
|
- '(?i).>fortigate.ips.sensor<.'
|
|
|
|
- '(?i)fortigate'
|
|
|
|
- '(?i).fgd_icon'
|
|
|
|
- '(?i)\AFORTIWAFSID='
|
|
|
|
- '(?i)application.blocked.'
|
|
|
|
- '(?i).fortiGate.application.control'
|
|
|
|
- '(?i)(http(s)?)?://\w+.fortinet(.\w+:)?'
|
|
|
|
- '(?i)fortigate.hostname'
|
|
|
|
- '(?i)the.page.cannot.be.displayed..please.contact.[^@]+@[^@]+\.[^@]+.for.additional.information'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:15:16 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: teros
|
|
|
|
regex:
|
|
|
|
- '(?i)st8(id|.wa|.wf)?.?(\d+|\w+)?'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:15:16 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: stricthttp
|
|
|
|
regex:
|
|
|
|
- '(?i)the.request.was.rejected.because.the.url.contained.a.potentially.malicious.string'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:15:16 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: stricthttp
|
|
|
|
regex:
|
|
|
|
- '(?i)rejected.by.url.scan'
|
|
|
|
- '(?i)/rejected.by.url.scan'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:15:16 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: shadowd
|
|
|
|
regex:
|
|
|
|
- '(?i)<h\d>\d{3}.forbidden<.h\d>'
|
|
|
|
- '(?i)request.forbidden.by.administrative.rules.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: bigip
|
|
|
|
regex:
|
|
|
|
- '(?i)\ATS\w{4,}='
|
|
|
|
- '(?i)bigipserver(.i)?|bigipserverinternal'
|
|
|
|
- '(?i)^TS[a-zA-Z0-9]{3,8}='
|
|
|
|
- '(?i)BigIP|BIG-IP|BIGIP'
|
|
|
|
- '(?i)bigipserver'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: edgecast
|
|
|
|
regex:
|
|
|
|
- '(?i)\Aecdf'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: radware
|
|
|
|
regex:
|
|
|
|
- '(?i).\bcloudwebsec.radware.com\b.'
|
|
|
|
- '(?i).>unauthorized.activity.has.been.detected<.'
|
|
|
|
- '(?i)with.the.following.case.number.in.its.subject:.\d+.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: varnish
|
|
|
|
regex:
|
|
|
|
- '(?i)varnish'
|
|
|
|
- '(?i).>.?security.by.cachewall.?<.'
|
|
|
|
- '(?i)cachewall'
|
|
|
|
- '(?i).>access.is.blocked.according.to.our.site.security.policy.<+'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: infosafe
|
|
|
|
regex:
|
|
|
|
- '(?i)infosafe'
|
|
|
|
- '(?i)by.(http(s)?(.//)?)?7i24.(com|net)'
|
|
|
|
- '(?i)infosafe.\d.\d'
|
|
|
|
- '(?i)var.infosafekey='
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: aliyundun
|
|
|
|
regex:
|
|
|
|
- '(?i)error(s)?.aliyun(dun)?.(com|net)'
|
|
|
|
- '(?i)http(s)?://(www.)?aliyun.(com|net)'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: ats
|
|
|
|
regex:
|
|
|
|
- '(?i)(\()?apachetrafficserver((\/)?\d+(.\d+(.\d+)?)?)'
|
|
|
|
- '(?i)ats((\/)?(\d+(.\d+(.\d+)?)?))?'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: malcare
|
|
|
|
regex:
|
|
|
|
- '(?i)malcare'
|
|
|
|
- '(?i).>login.protection<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?'
|
|
|
|
- '(?i).>firewall<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: wts
|
|
|
|
regex:
|
|
|
|
- '(?i)(<title>)?wts.wa(f)?(\w+(\w+(\w+)?)?)?'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: dw
|
|
|
|
regex:
|
|
|
|
- '(?i)dw.inj.check'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: denyall
|
|
|
|
regex:
|
|
|
|
- '(?i)\Acondition.intercepted'
|
|
|
|
- '(?i)\Asessioncookie='
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: yunsuo
|
|
|
|
regex:
|
|
|
|
- '(?i)<img.class=.yunsuologo.'
|
|
|
|
- '(?i)yunsuo.session'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: litespeed
|
|
|
|
regex:
|
|
|
|
- '(?i)litespeed.web.server'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: cloudfront
|
|
|
|
regex:
|
|
|
|
- '(?i)[a-zA-Z0-9]{,60}.cloudfront.net'
|
|
|
|
- '(?i)cloudfront'
|
|
|
|
- '(?i)x.amz.cf.id|nguardx'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: anyu
|
|
|
|
regex:
|
|
|
|
- '(?i)sorry.{1,2}your.access.has.been.intercept(ed)?.by.anyu'
|
|
|
|
- '(?i)anyu'
|
|
|
|
- '(?i)anyu-?.the.green.channel'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: googlewebservices
|
|
|
|
regex:
|
|
|
|
- '(?i)your.client.has.issued.a.malformed.or.illegal.request'
|
|
|
|
- '(?i)our.systems.have.detected.unusual.traffic'
|
|
|
|
- '(?i)block(ed)?.by.g.cloud.security.policy.+'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: didiyun
|
|
|
|
regex:
|
|
|
|
- '(?i)(http(s)?://)(sec-waf.|www.)?didi(static|yun)?.com(/static/cloudwafstatic)?'
|
|
|
|
- '(?i)didiyun'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: blockdos
|
|
|
|
regex:
|
|
|
|
- '(?i)blockdos\.net'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: codeigniter
|
|
|
|
regex:
|
|
|
|
- '(?i)the.uri.you.submitted.has.disallowed.characters'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: stingray
|
|
|
|
regex:
|
|
|
|
- '(?i)\AX-Mapping-'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: west263
|
|
|
|
regex:
|
|
|
|
- '(?i)wt\d*cdn'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: aws
|
|
|
|
regex:
|
|
|
|
- '(?i)<RequestId>[0-9a-zA-Z]{16,25}<.RequestId>'
|
|
|
|
- '(?i)<Error><Code>AccessDenied<.Code>'
|
|
|
|
- '(?i)x.amz.id.\d+'
|
|
|
|
- '(?i)x.amz.request.id'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: yundun
|
|
|
|
regex:
|
|
|
|
- '(?i)YUNDUN'
|
|
|
|
- '(?i)^yd.cookie='
|
|
|
|
- '(?i)http(s)?.//(www\.)?(\w+.)?yundun(.com)?'
|
|
|
|
- '(?i)<title>.403.forbidden:.access.is.denied.{0,2}<.{0,2}title>'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: barracuda
|
|
|
|
regex:
|
|
|
|
- '(?i)\Abarra.counter.session=?'
|
|
|
|
- '(?i)(\A|\b)?barracuda.'
|
|
|
|
- '(?i)barracuda.networks.{1,2}inc'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: dodenterpriseprotection
|
|
|
|
regex:
|
|
|
|
- '(?i)dod.enterprise.level.protection.system'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: secupress
|
|
|
|
regex:
|
|
|
|
- '(?i)<h\d*>secupress<.'
|
|
|
|
- '(?i)block.id.{1,2}bad.url.contents.<.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: aesecure
|
|
|
|
regex:
|
|
|
|
- '(?i)aesecure.denied.png'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: incapsula
|
|
|
|
regex:
|
|
|
|
- '(?i)incap_ses|visid_incap'
|
|
|
|
- '(?i)incapsula'
|
|
|
|
- '(?i)incapsula.incident.id'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: nexusguard
|
|
|
|
regex:
|
|
|
|
- '(?i)nexus.?guard'
|
|
|
|
- '(?i)((http(s)?://)?speresources.)?nexusguard.com.wafpage'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: cloudflare
|
|
|
|
regex:
|
|
|
|
- '(?i)cloudflare.ray.id.|var.cloudflare.'
|
|
|
|
- '(?i)cloudflare.nginx'
|
|
|
|
- '(?i)..cfduid=([a-z0-9]{43})?'
|
|
|
|
- '(?i)cf[-|_]ray(..)?([0-9a-f]{16})?[-|_]?(dfw|iad)?'
|
|
|
|
- '(?i).>attention.required!.\|.cloudflare<.+'
|
|
|
|
- '(?i)http(s)?.//report.(uri.)?cloudflare.com(/cdn.cgi(.beacon/expect.ct)?)?'
|
|
|
|
- '(?i)ray.id'
|
2020-10-17 20:46:46 +00:00
|
|
|
- '(?i)__cfduid'
|
2020-09-27 20:13:29 +00:00
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: akamai
|
|
|
|
regex:
|
|
|
|
- '(?i).>access.denied<.'
|
|
|
|
- '(?i)akamaighost'
|
|
|
|
- '(?i)ak.bmsc.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: webseal
|
|
|
|
regex:
|
|
|
|
- '(?i)webseal.error.message.template'
|
|
|
|
- '(?i)webseal.server.received.an.invalid.http.request'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: dotdefender
|
|
|
|
regex:
|
|
|
|
- '(?i)dotdefender.blocked.your.request'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: pk
|
|
|
|
regex:
|
|
|
|
- '(?i).>pkSecurityModule\W..\WSecurity.Alert<.'
|
|
|
|
- '(?i).http(s)?.//([w]{3})?.kitnetwork.\w'
|
|
|
|
- '(?i).>A.safety.critical.request.was.discovered.and.blocked.<.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: expressionengine
|
|
|
|
regex:
|
|
|
|
- '(?i).>error.-.expressionengine<.'
|
|
|
|
- '(?i).>:.the.uri.you.submitted.has.disallowed.characters.<.'
|
|
|
|
- '(?i)invalid.(get|post).data'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: comodo
|
|
|
|
regex:
|
|
|
|
- '(?i)protected.by.comodo.waf'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: ciscoacexml
|
|
|
|
regex:
|
|
|
|
- '(?i)ace.xml.gateway'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: barikode
|
|
|
|
regex:
|
|
|
|
- '(?i).>barikode<.'
|
|
|
|
- '(?i)<h\d{1}>forbidden.access<.h\d{1}>'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: watchguard
|
|
|
|
regex:
|
|
|
|
- '(?i)(request.denied.by.)?watchguard.firewall'
|
|
|
|
- '(?i)watchguard(.technologies(.inc)?)?'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: binarysec
|
|
|
|
regex:
|
|
|
|
- '(?i)x.binarysec.via'
|
|
|
|
- '(?i)x.binarysec.nocache'
|
|
|
|
- '(?i)binarysec'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: bekchy
|
|
|
|
regex:
|
|
|
|
- '(?i)bekchy.(-.)?access.denied'
|
|
|
|
- '(?i)(http(s)?://)(www.)?bekchy.com(/report)?'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: bitninja
|
|
|
|
regex:
|
|
|
|
- '(?i)bitninja'
|
|
|
|
- '(?i)security.check.by.bitninja'
|
|
|
|
- '(?i).>visitor.anti(\S)?robot.validation<.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: apachegeneric
|
|
|
|
regex:
|
|
|
|
- '(?i)apache'
|
|
|
|
- '(?i).>you.don.t.have.permission.to.access+'
|
|
|
|
- '(?i)was.not.found.on.this.server'
|
|
|
|
- '(?i)<address>apache/([\d+{1,2}](.[\d+]{1,2}(.[\d+]{1,3})?)?)?'
|
|
|
|
- '(?i)<title>403 Forbidden</title>'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: greywizard
|
|
|
|
regex:
|
|
|
|
- '(?i)greywizard(.\d.\d(.\d)?)?'
|
|
|
|
- '(?i)grey.wizard.block'
|
|
|
|
- '(?i)(http(s)?.//)?(\w+.)?greywizard.com'
|
|
|
|
- '(?i)grey.wizard'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: configserver
|
|
|
|
regex:
|
|
|
|
- '(?i).>the.firewall.on.this.server.is.blocking.your.connection.<+'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: viettel
|
|
|
|
regex:
|
|
|
|
- '(?i)<title>access.denied(...)?viettel.waf</title>'
|
|
|
|
- '(?i)viettel.waf.system'
|
|
|
|
- '(?i)(http(s).//)?cloudrity.com(.vn)?'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: safedog
|
|
|
|
regex:
|
|
|
|
- '(?i)(http(s)?)?(://)?(www|404|bbs|\w+)?.safedog.\w'
|
|
|
|
- '(?i)waf(.?\d+.?\d+)'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: baidu
|
|
|
|
regex:
|
|
|
|
- '(?i)yunjiasu.nginx'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: alertlogic
|
|
|
|
regex:
|
|
|
|
- '(?i).>requested.url.cannot.be.found<.'
|
|
|
|
- '(?i)proceed.to.homepage'
|
|
|
|
- '(?i)back.to.previous.page'
|
|
|
|
- "(?i)we('re|.are)?sorry.{1,2}but.the.page.you.are.looking.for.cannot"
|
|
|
|
- '(?i)reference.id.?'
|
|
|
|
- '(?i)page.has.either.been.removed.{1,2}renamed'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: armor
|
|
|
|
regex:
|
|
|
|
- '(?i)blocked.by.website.protection.from.armour'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: dosarrest
|
|
|
|
regex:
|
|
|
|
- '(?i)dosarrest'
|
|
|
|
- '(?i)x.dis.request.id'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: paloalto
|
|
|
|
regex:
|
|
|
|
- 'has.been.blocked.in.accordance.with.company.policy'
|
|
|
|
- '.>Virus.Spyware.Download.Blocked<.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: aspgeneric
|
|
|
|
regex:
|
|
|
|
- '(?i)this.generic.403.error.means.that.the.authenticated'
|
|
|
|
- '(?i)request.could.not.be.understood'
|
|
|
|
- '(?i)<.+>a.potentially.dangerous.request(.querystring)?.+'
|
|
|
|
- '(?i)runtime.error'
|
|
|
|
- '(?i).>a.potentially.dangerous.request.path.value.was.detected.from.the.client+'
|
|
|
|
- '(?i)asp.net.sessionid'
|
|
|
|
- '(?i)errordocument.to.handle.the.request'
|
|
|
|
- '(?i)an.application.error.occurred.on.the.server'
|
|
|
|
- '(?i)error.log.record.number'
|
|
|
|
- '(?i)error.page.might.contain.sensitive.information'
|
|
|
|
- "(?i)<.+>server.error.in.'/'.application.+"
|
|
|
|
- '(?i)\basp.net\b'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: powerful
|
|
|
|
regex:
|
|
|
|
- '(?i)Powerful Firewall'
|
|
|
|
- '(?i)http(s)?...tiny.cc.powerful.firewall'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: uewaf
|
|
|
|
regex:
|
|
|
|
- '(?i)http(s)?.//ucloud'
|
|
|
|
- '(?i)uewaf(.deny.pages)'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: janusec
|
|
|
|
regex:
|
|
|
|
- '(?i)janusec'
|
|
|
|
- '(?i)(http(s)?\W+(www.)?)?janusec.(com|net|org)'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: siteguard
|
|
|
|
regex:
|
|
|
|
- '(?i)>Powered.by.SiteGuard.Lite<'
|
|
|
|
- '(?i)refuse.to.browse'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: sonicwall
|
|
|
|
regex:
|
|
|
|
- '(?i)This.request.is.blocked.by.the.SonicWALL'
|
|
|
|
- '(?i)Dell.SonicWALL'
|
|
|
|
- '(?i)\bDell\b'
|
|
|
|
- '(?i)Web.Site.Blocked.+\bnsa.banner'
|
|
|
|
- '(?i)SonicWALL'
|
|
|
|
- '(?i).>policy.this.site.is.blocked<.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: jiasule
|
|
|
|
regex:
|
|
|
|
- '(?i)^jsl(_)?tracking'
|
|
|
|
- '(?i)(__)?jsluid(=)?'
|
|
|
|
- '(?i)notice.jiasule'
|
|
|
|
- '(?i)(static|www|dynamic).jiasule.(com|net)'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: nginxgeneric
|
|
|
|
regex:
|
|
|
|
- '(?i)nginx'
|
|
|
|
- '(?i)you.do(not|n.t)?.have.permission.to.access.this.document'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: stackpath
|
|
|
|
regex:
|
|
|
|
- '(?i)action.that.triggered.the.service.and.blocked'
|
|
|
|
- '(?i)<h2>sorry,.you.have.been.blocked.?<.h2>'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: sabre
|
|
|
|
regex:
|
|
|
|
- '(?i)dxsupport@sabre.com'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: wordfence
|
|
|
|
regex:
|
|
|
|
- '(?i)generated.by.wordfence'
|
|
|
|
- '(?i)your.access.to.this.site.has.been.limited'
|
|
|
|
- '(?i).>wordfence<.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: '360'
|
|
|
|
regex:
|
|
|
|
- '(?i).wzws.waf.cgi.'
|
|
|
|
- '(?i)wangzhan\.360\.cn'
|
|
|
|
- '(?i)qianxin.waf'
|
|
|
|
- '(?i)360wzws'
|
|
|
|
- '(?i)transfer.is.blocked'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: asm
|
|
|
|
regex:
|
|
|
|
- '(?i)the.requested.url.was.rejected..please.consult.with.your.administrator.'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: rsfirewall
|
|
|
|
regex:
|
|
|
|
- '(?i)com.rsfirewall.403.forbidden'
|
|
|
|
- '(?i)com.rsfirewall.event'
|
|
|
|
- '(?i)(\b)?rsfirewall(\b)?'
|
|
|
|
- '(?i)rsfirewall'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: sucuri
|
|
|
|
regex:
|
|
|
|
- '(?i)access.denied.-.sucuri.website.firewall'
|
|
|
|
- '(?i)sucuri.webSite.firewall.-.cloudProxy.-.access.denied'
|
|
|
|
- '(?i)questions\?.+cloudproxy@sucuri\.net'
|
|
|
|
- '(?i)http(s)?.\/\/(cdn|supportx.)?sucuri(.net|com)?'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: airlock
|
|
|
|
regex:
|
|
|
|
- '(?i)\Aal[.-]?(sess|lb)=?'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: xuanwudun
|
|
|
|
regex:
|
|
|
|
- '(?i)class=.(db)?waf.?(-row.)?>'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
2021-05-27 12:20:31 +00:00
|
|
|
name: chuangyudun
|
2020-09-27 20:13:29 +00:00
|
|
|
regex:
|
|
|
|
- '(?i)(http(s)?.//(www.)?)?365cyd.(com|net)'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: securesphere
|
|
|
|
regex:
|
|
|
|
- '(?i)<h2>error<.h2>'
|
|
|
|
- '(?i)<title>error<.title>'
|
|
|
|
- '(?i)<b>error<.b>'
|
|
|
|
- '(?i)<td.class="(errormessage|error)".height="[0-9]{1,3}".width="[0-9]{1,3}">'
|
|
|
|
- '(?i)the.incident.id.(is|number.is).'
|
|
|
|
- '(?i)page.cannot.be.displayed'
|
|
|
|
- '(?i)contact.support.for.additional.information'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: anquanbao
|
|
|
|
regex:
|
|
|
|
- '(?i).aqb_cc.error.'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: modsecurity
|
|
|
|
regex:
|
|
|
|
- '(?i)ModSecurity|NYOB'
|
|
|
|
- '(?i)mod_security'
|
|
|
|
- '(?i)this.error.was.generated.by.mod.security'
|
|
|
|
- '(?i)web.server at'
|
|
|
|
- '(?i)page.you.are.(accessing|trying)?.(to|is)?.(access)?.(is|to)?.(restricted)?'
|
|
|
|
- '(?i)blocked.by.mod.security'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: modsecurityowasp
|
|
|
|
regex:
|
|
|
|
- '(?i)not.acceptable'
|
|
|
|
- '(?i)additionally\S.a.406.not.acceptable'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: squid
|
|
|
|
regex:
|
|
|
|
- '(?i)squid'
|
|
|
|
- '(?i)Access control configuration prevents'
|
|
|
|
- '(?i)X.Squid.Error'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: shieldsecurity
|
|
|
|
regex:
|
|
|
|
- '(?i)blocked.by.the.shield'
|
|
|
|
- '(?i)transgression(\(s\))?.against.this'
|
|
|
|
- '(?i)url.{1,2}form.or.cookie.data.wasn.t.appropriate'
|
|
|
|
condition: or
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2020-09-27 20:13:29 +00:00
|
|
|
- type: regex
|
|
|
|
name: wallarm
|
|
|
|
regex:
|
|
|
|
- '(?i)nginix.wallarm'
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-28 05:18:39 +00:00
|
|
|
|
2021-05-27 12:20:31 +00:00
|
|
|
- type: regex
|
2022-04-20 14:38:07 +00:00
|
|
|
part: response
|
2021-05-27 12:20:31 +00:00
|
|
|
name: huaweicloud
|
|
|
|
condition: and
|
|
|
|
regex:
|
|
|
|
- '(?)content="CloudWAF"'
|
|
|
|
- 'Server: CloudWAF'
|
2022-03-22 03:48:47 +00:00
|
|
|
- 'Set-Cookie: HWWAFSESID='
|